Paths to Safety
Report prepared in conjunction with ASIS International
On any given day, the newspaper, television or radio will contain another report of a threat or disaster somewhere in the world. But most building occupants don’t worry about whether they will be able to exit the building quickly and safely if a fire, terrorist attack, earthquakes or other disaster struck. That makes it all the more important that the facility executive develop a threat-response plan that guides occupants on how to react during an emergency. At Georgia Tech, eight steps proved to be key to developing the plan.
Step 1: Gather Information
Gather all existing documentation, whether it’s a formal emergency response plan, hazardous materials plan or a select agents plan. Even informal processes related to emergency preparedness should be identified and cataloged as a starting point. Pulling that information together will likely entail asking those involved with emergency response to write down steps they would expect to follow and actions they have taken. It’s essential to determine what is available and what is needed to support threat-response planning.
Step 2: Get help
Identify internal and external resources that could be used during an emergency or that could help develop a threat-response plan. Georgia Tech conducted a survey of entities that either performed research, supported research or provided support or response to university operations. The initial list offered insight into how Georgia Tech could respond to emergencies. The information-gathering effort also brought the expertise of many groups into the planning process.
One example shows the value of this exercise. The Georgia Department of Natural Resources (DNR) is responsible for the inspection of and response to any matters involving nuclear materials and operations for the state. Coincidentally, DNR’s official response personnel, who ultimately would be responding to any nuclear issue, work for Georgia Tech in a special group trained to respond to radioactive issues.
That group was only one of the many identified resources that would be included in the resource-identification section of the plan.
Step 3: Build Support
Establish a hierarchy of involvement in the threat-response effort. This step provides the broad-based support necessary to accomplish both tactical and strategic goals. Georgia Tech has three tiers of involvement: participation, guidance counseling and oversight.
The front line of emergency planners — known as emergency planning coordinators at Georgia Tech — actually develop individual emergency plans tailored to specific locations. These plans address evacuation, sheltering in place and post-evacuation assembly areas. Individual plans are based on a template contained in the overall emergency action plan.
The next level of the hierarchy is known as the Emergency Planning Coordinator Evaluation Council (EPCAC), a group of six to eight employees with experience in law enforcement, fire protection, hazardous materials or other public service areas. Among other things, this group evaluates nominations for emergency planning coordinators and reviews their performance.
The final tier of the hierarchy is the Executive Oversight Committee. At Georgia Tech, that group is made up of vice presidents, deans and senior administrators with major operational responsibilities. The function of this committee is to ensure cooperation and support from the many diverse entities on the campus.
Although these groups play important roles in developing and implementing emergency response plans, they do not have responsibility for the overall emergency plan. That responsibility falls to an individual who serves as the focal point for emergency efforts. In the case of Georgia Tech, that person is the university’s director of homeland security. There is a close working relationship between the person with overall planning responsibility and the various groups in the hierarchy. For example, at Georgia Tech, EPCAC members provide advice to the director of homeland security, while the Executive Oversight Committee reviews emergency-response decisions related to homeland security matters like liaison with law enforcement groups or university-wide responses to changes in the federal threat-level color codes.
Step 4: Determine Threats
Research available historical data indicating the most likely hazards or disasters facing the organization. Along the coast in the Southeast, flooding and severe weather, such as hurricanes, are of more concern than earthquakes. In the San Francisco area, the opposite is true. The Federal Emergency Management Agency (FEMA) provides extensive resource documentation. FEMA 386-2, Identifying Your Risks, is an especially useful guide. FEMA’s Web site, www.fema.gov, is invaluable in providing templates and matrices useful in the planning process.
Step 5: Assess Risk
Conduct a vulnerability and criticality assessment. Also known as a risk assessment or mitigation plan, this analysis identifies all critical assets — including personnel, facilities and support infrastructure — and ranks them based on the following criteria:
- Life safety of student or business populations
- Infrastructure support for the entire facility
- Other operations and facilities necessary to maintain business continuity.
- Operations and facilities support for specific critical business functions
Once all the assets have been identified and cataloged, the real work comes with identifying the vulnerabilities for each. The assessment involves actually visiting each facility and asking questions of personnel who operate it, as well as those that use it in support of their job or education.
Questions should be designed to determine:
- What is the primary function of the facility?
- What hazardous materials are in the facility or the surrounding area? This list should not be restricted to materials with material safety data sheets.
- Are there any high-risk facilities adjacent to the facility that may pose a significant risk and that are under the direct control or ownership of another organization?
- Are there any processes performed in the facility that require special safety and security procedures?
- Can the building be secured quickly if necessary?
- Are written evacuation and emergency plans available? Are they available on a Web site? Are there security controls in place for that information?
- Are there support infrastructure functions that are not controlled by the facility or the organization? Who controls those functions? Where are they controlled from? Is the place protected? Alarmed? Patrolled? Is it possible to tell if anything has been tampered with or sabotaged?
- Does the facility have control over visitors? Are there sign-in procedures? Package checks? Are visitors allowed to wander the facility without escort? Are cameras and recorders allowed into the facility? Is the facility recording activity with cameras and recorders? Who reviews the tapes and how often? Does the facility have guards or security personnel? For what reason? Are they trained in emergency response?
- Where is the computer-support infrastructure? Who controls the wiring closets? Does the facility have control over issuing keys for these closets and all other keys to the facility? Are there any internal controls or processes concerning wireless networks?
- Is the person who develops vulnerability and criticality assessments informed about facility plans, changes and tactical and strategic decisions? If not, can a functional oversight committee of executives be established to ensure communications?
These are just a sample of the questions that should be answered to understand the vulnerability of each location being addressed in this process. The list is not all inclusive and should be tailored to the individual needs and functions of the facilities in question.
Step 6: Develop Plan
Once the vulnerability and criticality assessment is completed, the next step is to develop a plan of action for each of the issues. FEMA document 386-3, Developing the Mitigation Plan, can help in this phase.
Each of the actions should be ranked using a matrix developed to determine not only the priority, but also the resources needed to respond and the estimated costs associated with the mitigation. Costs should include the frequency with which the actions will be used to identify the risk. The matrix should show all the stakeholders at the facility how priorities were established. This explanation is critical; otherwise, when the emergency plan is instituted, there will be many calls from people who believe that their building, area and department need priority attention.
Georgia Tech developed a mitigation plan that initiates actions at each level of the U.S. Department of Homeland Security’s color-code system — the green-through-red indicators of the risk of terrorist actions. Georgia Tech uses the guideline as a baseline for every unit, building and department on campus. If the threat code moves to orange or red from the yellow or “elevated” level, Georgia Tech will probably respond similarly, depending on the total threat posed to the area. When this happens, the president of Georgia Tech will notify the campus of the change, based on the recommendation of Georgia Tech’s homeland security division, which will signal the emergency response coordinators to enact their own response plans. The goal is to ensure that everyone can respond effectively, rather than impose a single, campus-wide response plan that may not apply to every aspect of the operation.
For example, many buildings are open during the day for classes and other normal academic activities. But when the higher level of threat is announced, access may be restricted so that students, faculty and staff members must use their magnetic stripe or proximity cards to gain access to different facilities. At each color-code level, access privileges are further limited.
During the fall of 2003, ASIS International established a committee of security professionals to create a color-code threat-response plan. The plan was comprehensive in taking into consideration actions needed to prepare and respond to emergencies at each level. This plan was designed to support all businesses, educational institutions and government entities, regardless of the size and complexity.
Step 7: Implement Plan
Adopt and implement the threat-response plan. It is imperative to have the chief executive officer or owner endorse and adopt the plan.
To implement the plan, it is important to identify outside sources of funds. The Department of Homeland Security, for example, allocates funds to states, which distribute the money according to their own regulations. There are also research grants from the Department of Justice and the National Institute of Health, as well as other sources of funds.
Finally, it is essential to develop a method of evaluating progress, identifying roadblocks and ensuring that milestones are met. The ability to track and show progress is a great benefit when going to management for support.
Step 8: Conduct Tests
This entire process is a very dynamic method of protecting a facility. It is critical to review the process, update the threat-response plan and test the overall plan. Testing should not be limited to fire drills or false alarms with the resultant evacuations. Rather, testing should be designed to assure that everybody understands what to do in an emergency. People should know which means of communication are available, how to ensure all personnel are evacuated and what are the designated assembly points. Tabletop-planning exercises, limited drills and full exercises should be used frequently. Without full exercises, the most important aspect of the plan, there’s really no way to know if all the work put into the plan has produced a plan that works.
Robert F. Lang, CPP, is director of homeland security at Georgia Tech University. An ASIS International member since 1980, he was part of the ASIS International committee that created a model plan for responding to changes in the federal government’s color-coded threat ranking system.
ASIS Offers Educational Tools for Members and Security Community
Founded in 1955, ASIS International (ASIS) has more than 33,000 security professionals as members worldwide. ASIS advocates the role and value of the security management profession to business, the media, government entities and the public. In addition, it develops educational programs and materials that address a broad range of security interests. Among the resources soon to be available is a security guideline. A draft of the guideline, Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery, is available for public review and comment until Sept. 10.